The Indiana Supreme Court became one of the first state high courts to weigh in and issue a decision on whether crime insurance provides coverage for ransomware attacks. The trial court’s ruling in favor of Continental Western Insurance Co.’s motion for summary judgment upheld the denial of G&G Oil Co.’s bid for coverage. The Supreme Court remanded the case because further fact-finding was necessary to uncover the “fraudulent” nature of the hacker’s actions. It was important to determine how the hacking was conducted. Therefore, until this information is uncovered, neither party was entitled to summary judgment.

The case arose out of G&G’s purchase of commercial insurance. The policy contained various coverages, including “Commercial Crime Coverage.” There was a specific provision that provided coverage for “Computer Fraud.” Within the policy period, G&G discovered it was locked out of its computer systems. A ransomware attack, a “malicious computer code that renders the victim’s computer useless by blocking access to the programs and data” had halted G&G’s operations. In conjunction with the FBI, G&G contacted the hackers to negotiate a price to release the server’s blockages. G&G paid the requested ransom with four bitcoins, valued at approximately $35,000.

When G&G submitted the claim to Continental, coverage was denied on the basis that hacking was excluded pursuant to the “Agribusiness Property and Incomes Coverages,” which specifically disclaimed computer hacking and viruses. Additionally, Continental believed the Bitcoin was voluntarily paid to the computer hacker, which meant the Policy’s Commercial Crime provision would not be utilized. G&G filed a complaint seeking judicial enforcement of the Commercial Crime Provision. Continental filed a cross-motion for summary judgment.

The Supreme Court found that while these facts may give rise to fraud, there were still outlying questions. For instance, hacking can occur without fraud, but rather an inadequate security system. Therefore, until additional facts are provided, allegations of hacking were not enough to trigger coverage.

Additionally, the court deemed the Policy phrase, “fraudulent cause transfer” to be ambiguous. “Fraud” can range from a material misrepresentation invoking reliance to an “intentional perversion of truth.” Courts have also discussed the term “fraud” and have found it is generic and is often used in diverse ways. Therefore, the denial of coverage is likely unfounded as the Policy terms and provisions do not provide a fair basis.

This case is addressing this new intersection between computer fraud coverage, hacking and crime. To date, courts have had limited experience addressing each of these issues in the context of crime insurance. The evolving digital environment will likely introduce new issues that can give rise to coverage and expand existing scopes of coverage.

For more information about this article, contact Samantha Rothman at srothman@tresslerllp.com.

The post Hack Attack: Indiana Supreme Court Examines Ransomware Coverage  appeared first on Privacy Risk Report.

While this year has been an unpredictable year for all data collectors, it has been especially harsh for public and private schools. In addition to various obligations on all data collectors, schools hold sensitive information belonging to children that require more obligations.  Schools must balance these obligations as they lead their students and employees through online learning during 2020. That is, to continue teaching children, most schools have had no choice but to rely on third-party applications that require entrusting this sensitive data to outside vendors. Further, many schools are facing new state laws requiring schools more steps be taken to protect student data. The last thing schools need right now is an increase in ransomware attacks.

Of course, while many people have concerns and are grateful for schools during this time, hackers see opportunity. Namely, there are a number of new reports that schools are facing a substantial increase in ransomware targeting schools specifically. For example, on November 13, 2020, the Wall Street Journal addressed the uphill battle facing schools in an article titled, “Schools Struggling to Stay Open Get Hit by Ransomware Attacks.” This article examines a recent incident for a school district in Athens, Texas. As seen with many ransomware incidents, the technology chief for Athens schools, Tony Brooks, recalls one fateful day where he was contacted by school district employees reporting they could not log onto their computers. Of course, when he tried to log onto his computer, Mr. Brooks found a message stating: “All your important files are encrypted.”

Mr. Brooks immediately began negotiating with the hackers and, as commonly seen, he learned his school district’s hackers wanted to be paid in bitcoin. Ultimately, Mr. Brooks was able to cut off negotiations with the hackers before any payment was made when the school district come across a backup server holding the same information as the server compromised by the ransomware attack.

While the ransomware attack profiled in the Wall Street Journal merely costs Mr. Brooks’ school district substantial time in negotiating with the hackers and finding a fix short of paying the ransom, this situation makes it clear that school districts should not rely on luck to protect student data.

Another recent article, published on November 14, 2020, in the Las Cruces Sun-News entitled, “One Year Later: What the Ransomware Attack Taught Us About A Crisis” provides a first-hand account of the devastating effect a ransomware attack can leave on a school district. The author, Karen Trujillo, the Las Cruces School District superintendent, recalled a ransomware attack that hit her school district a year ago:  

There is a day in our district’s history that will be etched in the minds of Las Cruces Public Schools for quite some time. It was Oct. 29, 2019. I had been on the job as the interim superintendent for about two months when, in a matter of hours, our entire digital infrastructure at LCPS was swept away.

Our IT director, Matt Dawkins, got a call around 7 a.m. that one of our employees was having trouble gaining access to the server. “It’s ransomware,” Matt said. By 7:30 a.m, it was confirmed that 90 percent of our server systems were crippled. Our financial systems, student information, printers — all data storage was out of reach.

In addition to teachers losing all access to the technological tools they had grown accustomed to using to teach, Ms. Trujillo faced a number of significant burdens, including:  “Matt’s team of 21 people worked 18-hour days through Thanksgiving, Christmas and beyond, scrubbing more than 30,000 devices that needed to be rebuilt.” And, despite having to go through a terrible experience, Ms. Trujillo sees a silver lining in suffering a ransomware attack:

We thought the ransomware attack was our disaster for the year, but just when we started to rise from the ashes, the global pandemic thrust us into another crisis. It was as if the ransomware was a trial run for the situation we are in now. We were able to flip the switch from children in classrooms to remote learning in a weekend, rather than months. We went from no technology for learning to only technology for learning. The new devices we ordered during ransomware arrived just in time to get them in the hands of students who needed them. A year later, we understand the reality of cyberattacks, and — as a global pandemic — we know that no one is immune. Since then, we have installed firewalls, updated our systems, invested in our teachers and improved our infrastructure so we can protect ourselves. As we navigate through this pandemic, we use what we learned during the ransomware attack to handle the current crisis.

Interestingly, the WSJ article found the “[a]verage ransom payments across all industries have climbed in recent years, to $233,817 in the third quarter of this year from $41,198 a year earlier.”  And, the amount demanded as a ransom is expected to continue to rise.  It is now clear that school districts must make preparing for ransomware attacks a priority. And, if there was not enough of an incentive already to prepare for a ransomware attack, Illinois schools must be ready to implement additional steps by July 1, 2021, to meet the amended Student Online Personal Protection Act (“SOPPA”) requirements.

In order to effectively protect employee and student data, schools must have answers to at least the following questions:

• Is the school district prepared for a ransomware attack?
  • Would the school district pay the ransom?
  • How much would the school district be willing to pay for a ransom?
  • Where does the school district get bitcoin to pay a ransom?
  • Can the school district continue to teach while information is encrypted?
  • Does the school district have insurance that covers a ransomware event?
• What third-party vendors is the school district providing student data to?
• What third-party vendors are teachers providing student data to?
• What safeguards do third party vendors have in place to protect student data?
• Does the school district have insurance for a ransomware event at a vendor?
• Are there any state laws that give rise to requirements in the school district?
• Who in the school district will respond to students’ and parents’ questions about an incident?

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post Hackers See Opportunity In Attacking Schools As They Teach Through A Pandemic appeared first on Privacy Risk Report.

Ransomware attacks are on the rise and appear to be a long-term problem. For example, last February in California, the Orange County Transportation Authority (OCTA) suffered a ransomware attack that shut down a number of its computers, causing more than $600,000 in damages. Specifically, the OCTA reportedly paid nearly $330,000 in labor costs and $218,000 for emergency contracts for technical assistance with the incident. The attack is said to have cut off access to 88 OCTA servers that limited access to a number of programs including e-mail, voicemail, intranet, employee assignments and payroll. Rather than pay the requested $8,500 ransom, OCTA worked for days to restore the servers, find the malware and secure the servers against future attacks. OCTA officers stated that services were uninterrupted and no credit card or other personal information was compromised during the attack. This ransomware attack and the OCTA response provide a great opportunity to analyze the response in the hours, days and months after a ransomware attack.

Hours After Cyber Attack: Pay $8,500 Ransom or $600,000 to Fight the Hackers

In defending the decision to not pay the ransom, the OCTA spokesperson stated, “[t]he FBI opposes paying ransom for cyber attacks, and so does [the Transportation Authority]. If we pay ransom to a criminal, there is no guarantee that our servers would be released, and the agency would likely be a target again because the attackers know they pay up.”

Regardless of whether this decision was correct or not, it’s clear that victims will have to make the tough decision on whether to pay the ransom or fight their attackers in the first few hours after an attack. While there is no information about when OCTA made this decision, the best strategy includes considering the potential for an attack and having a plan prior to an attack. Here, OCTA adopted a philosophy not to pay the ransom. While there are valid arguments to both situations, there is no question that the best time to make this decision is before a ransomware attack.

Days After Cyber Attack: Violation of California’s Open Meetings Law?

Since the attack, people have started to question whether OCTA complied with California’s Open Meetings Law, which requires governmental entities to make information available to the public. The OCTA’s board members were not notified about the attack until it had been resolved and the public received no information beyond statements that OCTA was experiencing technical problems. Now that the attack has been disclosed, some opponents are questioning the OCTA’s $218,000 payment for security because it “was not on the agenda and it was authorized in an unlawful closed session.” The OCTA spokesperson reasoned that, “[t]he last thing we want to do is make a public announcement…why would you let people know that your systems are compromised? It would invite, potentially, other people to hit you.”

In the days after a cyber attack, the key for any organization will be to determine its obligations under various state and federal laws. One important question will be whether the private information of others was compromised in the attack. In this situation, OCTA stated “…in this crime against OCTA, information wasn’t lost or stolen and service wasn’t disrupted. If that had been the case, those impacted would have been notified…”

Therefore, the ransomware incident at OCTA demonstrates that different types of cyber crimes will give rise to different obligations for the victim. Further, this attack demonstrates the importance that an organization must consider all the various local, state and federal regulations that may apply given certain scenarios before an incident occurs.

Months After Cyber Attack: Providing Notice and Protecting Against Future Attacks

The OCTA ransomware incident was not publicly disclosed until the first week of August, nearly six months after the incident. While OCTA claims it waited to disclose this incident until it was certain that its systems were safe from further attacks, there is growing concern that a number of cyber incidents are not being reported for reasons other than safety. In fact, there may be a number of reasons to not disclose an incident. For example, there is significant evidence that the underreporting of these incidents by government and corporate leaders comes from their worry about the impact an incident could have on their careers. Also, the risk that an entity’s reputation will be tarnished is another reason cyber incidents go unreported.

In the end, it is easy to second guess some of OCTA’s decisions in the time after the ransomware attack; anyone responsible for cyber security should assume their actions will be questioned after a cyber incident. However, the best way to survive this scrutiny is to consider as many cyber security issues before an incident ever happens.

The post Step By Step Analysis of a Response to Recent Ransomware Attack appeared first on Privacy Risk Report.

Over the last few years, cyber security has focused on incidents where there is no contact with the criminal. That is, a data breach would occur and the criminal would be long gone before the victim knew there was an issue. Recently, we have seen cyber security incidents evolve to a point where the victim and criminal must confront each other in some manner. One example is the rise of ransomware, where the victim must negotiate with the criminal to regain access to their data. Some insurers have already responded to the ransomware risk by offering cyber extortion endorsements.

Another example where victims and criminals interact is cyberbullying, where the victim is harassed by a criminal via e-mail or social media. Recent statistics show many schools and households are struggling with cyberbullying. For example, the U.S. Department of Health and Human Services provides the following facts and statistics related to cyberbullying:

• Cyberbullying can happen 24 hours a day, 7 days a week, and reach a kid even when he or she is alone.
• Cyberbullying messages and images can be posted anonymously and distributed quickly to a very wide audience.
• It can be difficult and sometimes impossible to trace the source. Deleting inappropriate or harassing messages, texts and pictures is extremely difficult after they have been posted or sent.

Additionally, the 2013-2014 School Crime Supplement (National Center for Education Statistics and Bureau of Justice Statistics) indicates that 7% of students in grades 6–12 experience cyberbullying. The 2013 Youth Risk Behavior Surveillance Survey also finds that 15% of high school students (grades 9-12) were electronically bullied in the past year.

Last year, the Colorado legislature enacted “Kiana’s Law” to address cyberbullying. Kiana’s Law is named after Colorado teenager Kiana Arellano, who tried to commit suicide after receiving anonymous bullying text messages such as “you’re pathetic,” “nobody likes you at school” and telling Kiana she should kill herself. After attempting suicide, Kiana was left with a traumatic brain injury. The person that sent these messages was not prosecuted since there was no law prohibiting this conduct at the time.

Cyberbullying is not limited to children, as reports indicate that 73% of American adults online have seen someone be harassed online and 40% have personally experienced it. For example, musician Carrie Underwood was recently the target of cyberbullies who accused her of being “fake” and having plastic surgery.

Under Kiana’s Law, cyberbullying is now a misdemeanor form of harassment in Colorado, punishable by a fine of up to $750 and/or up to six months in jail.

In December 2015, Chubb Insurance began offering cyberbullying insurance coverage in the United Kingdom for cyberbullying victims, including counseling and lost income benefits for work missed due to harassment. Chubb’s policies define cyberbullying as “three or more acts by the same person or group to harass, threaten or intimidate a customer.” Last week, Chubb expanded it’s cyberbullying coverage outside of the U.K. to customers in Colorado, Illinois, Indiana and Wisconsin, which will provide $60,000 toward expenses caused by cyberbullying to its policyholders.

It is becoming increasingly clear that cyber crime is evolving to catch victims before they have the opportunity to put safeguards in place. For example, just as corporations and individuals started implementing plans and insuring against a data breach risk, criminals changed tactics and moved onto ransomware and cyberbullying. Therefore, the only way to implement proper technology and insurance safeguards is to vigilantly monitor cyber crime trends.

The post The Rise of Ransomware and Cyberbullying Insurance appeared first on Privacy Risk Report.